diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f66708f..c5e5b7d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,7 +1,6 @@ repos: - repo: https://github.com/terraform-docs/terraform-docs - rev: "v0.17.0" + rev: "v0.20.0" hooks: - id: terraform-docs-go args: ["markdown", "table", "--output-file", "README.md", "./"] - diff --git a/README.md b/README.md index 847f402..6872a32 100644 --- a/README.md +++ b/README.md @@ -228,14 +228,15 @@ https://docs.datafold.com/datafold-deployment/dedicated-cloud/aws | Name | Version | |------|---------| -| [aws](#requirement\_aws) | >= 4.8.0 | +| [aws](#requirement\_aws) | >= 6.9.0 | | [dns](#requirement\_dns) | 3.2.1 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.8.0 | +| [aws](#provider\_aws) | >= 6.9.0 | +| [null](#provider\_null) | n/a | | [random](#provider\_random) | n/a | ## Modules @@ -245,9 +246,12 @@ https://docs.datafold.com/datafold-deployment/dedicated-cloud/aws | [clickhouse\_backup](#module\_clickhouse\_backup) | ./modules/clickhouse_backup | n/a | | [database](#module\_database) | ./modules/database | n/a | | [eks](#module\_eks) | ./modules/eks | n/a | +| [github\_reverse\_proxy](#module\_github\_reverse\_proxy) | ./modules/github_reverse_proxy | n/a | | [load\_balancer](#module\_load\_balancer) | ./modules/load_balancer | n/a | | [networking](#module\_networking) | ./modules/networking | n/a | +| [private\_access](#module\_private\_access) | ./modules/private_access | n/a | | [security](#module\_security) | ./modules/security | n/a | +| [vpc\_peering](#module\_vpc\_peering) | ./modules/vpc_peering | n/a | ## Resources @@ -258,78 +262,124 @@ https://docs.datafold.com/datafold-deployment/dedicated-cloud/aws | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [alb\_certificate\_domain](#input\_alb\_certificate\_domain) | Pass a domain name like example.com to this variable in order to enable ALB HTTPS listeners.
Terraform will try to find AWS certificate that is issued and matches asked domain,
so please make sure that you have issued a certificate for asked domain already. | `string` | n/a | yes | +| [alb\_certificate\_domain](#input\_alb\_certificate\_domain) | Pass a domain name like example.com to this variable in order to enable ALB HTTPS listeners.
Terraform will try to find AWS certificate that is issued and matches asked domain,
so please make sure that you have issued a certificate for asked domain already. | `string` | n/a | yes | +| [allowed\_principals](#input\_allowed\_principals) | List of allowed principals allowed to connect to this endpoint. | `list(string)` | `[]` | no | | [apply\_major\_upgrade](#input\_apply\_major\_upgrade) | Sets the flag to allow AWS to apply major upgrade on the maintenance plan schedule. | `bool` | `false` | no | -| [aws\_auth\_accounts](#input\_aws\_auth\_accounts) | List of account maps to add to the aws-auth configmap | `list(any)` | `[]` | no | -| [aws\_auth\_users](#input\_aws\_auth\_users) | List of user maps to add to the aws-auth configmap | `list(any)` | `[]` | no | +| [az\_index](#input\_az\_index) | Index of the availability zone | `number` | `0` | no | | [backend\_app\_port](#input\_backend\_app\_port) | The target port to use for the backend services | `number` | `80` | no | +| [ch\_data\_ebs\_iops](#input\_ch\_data\_ebs\_iops) | IOPS of EBS volume | `number` | `3000` | no | +| [ch\_data\_ebs\_throughput](#input\_ch\_data\_ebs\_throughput) | Throughput of EBS volume | `number` | `1000` | no | +| [ch\_logs\_ebs\_iops](#input\_ch\_logs\_ebs\_iops) | IOPS of EBS volume | `number` | `3000` | no | +| [ch\_logs\_ebs\_throughput](#input\_ch\_logs\_ebs\_throughput) | Throughput of EBS volume | `number` | `250` | no | | [clickhouse\_data\_size](#input\_clickhouse\_data\_size) | EBS volume size for clickhouse data in GB | `number` | `40` | no | | [clickhouse\_logs\_size](#input\_clickhouse\_logs\_size) | EBS volume size for clickhouse logs in GB | `number` | `40` | no | | [clickhouse\_s3\_bucket](#input\_clickhouse\_s3\_bucket) | Bucket where clickhouse backups are stored | `string` | `"clickhouse-backups-abcguo23"` | no | -| [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Whether to create the AWS authentication configmap | `bool` | `false` | no | | [create\_rds\_kms\_key](#input\_create\_rds\_kms\_key) | Set to true to create a separate KMS key (Recommended). | `bool` | `true` | no | -| [create\_ssl\_cert](#input\_create\_ssl\_cert) | Creates an SSL certificate is set. | `bool` | n/a | yes | +| [create\_ssl\_cert](#input\_create\_ssl\_cert) | Creates an SSL certificate if set. | `bool` | n/a | yes | | [database\_name](#input\_database\_name) | RDS database name | `string` | `"datafold"` | no | +| [datadog\_api\_key](#input\_datadog\_api\_key) | The API key for Datadog | `string` | `""` | no | +| [db\_extra\_parameters](#input\_db\_extra\_parameters) | List of map of extra variables to apply to the RDS database parameter group | `list` | `[]` | no | | [db\_instance\_tags](#input\_db\_instance\_tags) | The extra tags to be applied to the RDS instance. | `map(any)` | `{}` | no | +| [db\_parameter\_group\_name](#input\_db\_parameter\_group\_name) | The specific parameter group name to associate | `string` | `""` | no | | [db\_parameter\_group\_tags](#input\_db\_parameter\_group\_tags) | The extra tags to be applied to the parameter group | `map(any)` | `{}` | no | +| [db\_subnet\_group\_name](#input\_db\_subnet\_group\_name) | The specific subnet group name to use | `string` | `""` | no | | [db\_subnet\_group\_tags](#input\_db\_subnet\_group\_tags) | The extra tags to be applied to the parameter group | `map(any)` | `{}` | no | | [default\_node\_disk\_size](#input\_default\_node\_disk\_size) | Disk size for a node in GB | `number` | `40` | no | +| [deploy\_github\_reverse\_proxy](#input\_deploy\_github\_reverse\_proxy) | Determines that the github reverse proxy should be deployed | `bool` | `false` | no | +| [deploy\_lb](#input\_deploy\_lb) | Allows a deploy without a load balancer | `bool` | `true` | no | +| [deploy\_private\_access](#input\_deploy\_private\_access) | Determines that the cluster should be 100% private | `bool` | `false` | no | | [deploy\_vpc\_flow\_logs](#input\_deploy\_vpc\_flow\_logs) | Activates the VPC flow logs if set. | `bool` | `false` | no | +| [deploy\_vpc\_peering](#input\_deploy\_vpc\_peering) | Determines that the VPC peering should be deployed | `bool` | `false` | no | | [deployment\_name](#input\_deployment\_name) | Name of the current deployment. | `string` | n/a | yes | | [dhcp\_options\_domain\_name](#input\_dhcp\_options\_domain\_name) | Specifies DNS name for DHCP options set | `string` | `""` | no | -| [dhcp\_options\_domain\_name\_servers](#input\_dhcp\_options\_domain\_name\_servers) | Specify a list of DNS server addresses for DHCP options set | `list(string)` | 
[
  "AmazonProvidedDNS"
]
| no | +| [dhcp\_options\_domain\_name\_servers](#input\_dhcp\_options\_domain\_name\_servers) | Specify a list of DNS server addresses for DHCP options set | `list(string)` | 
[
  "AmazonProvidedDNS"
]
| no | | [dhcp\_options\_tags](#input\_dhcp\_options\_tags) | Tags applied to the DHCP options set. | `map(string)` | `{}` | no | | [dns\_egress\_cidrs](#input\_dns\_egress\_cidrs) | List of Internet addresses to which the application has access | `list(string)` | `[]` | no | | [ebs\_extra\_tags](#input\_ebs\_extra\_tags) | The extra tags to be applied to the EBS volumes | `map(any)` | `{}` | no | -| [ebs\_iops](#input\_ebs\_iops) | IOPS of EBS volume | `number` | `3000` | no | -| [ebs\_throughput](#input\_ebs\_throughput) | Throughput of EBS volume | `number` | `1000` | no | -| [ebs\_type](#input\_ebs\_type) | Type of EBS volume | `string` | `"gp3"` | no | +| [ebs\_type](#input\_ebs\_type) | Type for all EBS volumes | `string` | `"gp3"` | no | | [enable\_dhcp\_options](#input\_enable\_dhcp\_options) | Flag to use custom DHCP options for DNS resolution. | `bool` | `false` | no | | [environment](#input\_environment) | Global environment tag to apply on all datadog logs, metrics, etc. | `string` | n/a | yes | +| [github\_cidrs](#input\_github\_cidrs) | List of CIDRs that are allowed to connect to the github reverse proxy | `list(string)` | `[]` | no | | [host\_override](#input\_host\_override) | Overrides the default domain name used to send links in invite emails and page links. Useful if the application is behind cloudflare for example. | `string` | `""` | no | | [ingress\_enable\_http\_sg](#input\_ingress\_enable\_http\_sg) | Whether regular HTTP traffic should be allowed to access the load balancer | `bool` | `false` | no | -| [k8s\_cluster\_version](#input\_k8s\_cluster\_version) | Ref. https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | `string` | `"1.29"` | no | +| [initial\_apply\_complete](#input\_initial\_apply\_complete) | Indicates if this infra is deployed or not. Helps to resolve dependencies. | `bool` | `false` | no | +| [k8s\_access\_bedrock](#input\_k8s\_access\_bedrock) | Allow cluster to access bedrock in this region | `bool` | `false` | no | +| [k8s\_api\_access\_roles](#input\_k8s\_api\_access\_roles) | Set of roles that are allowed to access the EKS API | `set(string)` | `[]` | no | +| [k8s\_cluster\_version](#input\_k8s\_cluster\_version) | Ref. https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | `string` | `"1.33"` | no | | [k8s\_module\_version](#input\_k8s\_module\_version) | EKS terraform module version | `string` | `"~> 19.7"` | no | +| [k8s\_public\_access\_cidrs](#input\_k8s\_public\_access\_cidrs) | List of CIDRs that are allowed to connect to the EKS control plane | `list(string)` | n/a | yes | +| [lb\_access\_logs](#input\_lb\_access\_logs) | Load balancer access logs configuration. | `map(string)` | `{}` | no | +| [lb\_deletion\_protection](#input\_lb\_deletion\_protection) | Flag if the load balancer can be deleted or not. | `bool` | `true` | no | +| [lb\_deploy\_nlb](#input\_lb\_deploy\_nlb) | Flag if the network load balancer should be deployed (usually for incoming private link). | `bool` | `false` | no | | [lb\_idle\_timeout](#input\_lb\_idle\_timeout) | The time in seconds that the connection is allowed to be idle. | `number` | `120` | no | | [lb\_internal](#input\_lb\_internal) | Set to true to make the load balancer internal and not exposed to the internet. | `bool` | `false` | no | -| [manage\_aws\_auth\_configmap](#input\_manage\_aws\_auth\_configmap) | Determines whether to manage the aws-auth configmap | `bool` | `false` | no | -| [managed\_node\_grp](#input\_managed\_node\_grp) | Ref. https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest/submodules/eks-managed-node-group | `any` | n/a | yes | -| [managed\_node\_grp\_default](#input\_managed\_node\_grp\_default) | Ref. https://github.com/awslabs/amazon-eks-ami/blob/master/files/eni-max-pods.txt | `list(any)` | `[]` | no | +| [lb\_name\_override](#input\_lb\_name\_override) | An optional override for the name of the load balancer | `string` | `""` | no | +| [lb\_nlb\_internal](#input\_lb\_nlb\_internal) | Set to true to make the load balancer internal and not exposed to the internet. | `bool` | `true` | no | +| [lb\_subnets\_override](#input\_lb\_subnets\_override) | Override subnets to deploy ALB into, otherwise use default logic. | `list(string)` | `[]` | no | +| [lb\_vpces\_details](#input\_lb\_vpces\_details) | Endpoint service to define for internal traffic over private link | 
object({
    allowed_principals  = list(string)
    private_dns_name    = optional(string)
    acceptance_required = bool

    supported_ip_address_types = list(string)
  })
| `null` | no | +| [managed\_node\_grp1](#input\_managed\_node\_grp1) | Ref. https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest/submodules/eks-managed-node-group | `any` | n/a | yes | +| [managed\_node\_grp2](#input\_managed\_node\_grp2) | Ref. https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest/submodules/eks-managed-node-group | `any` | `null` | no | +| [managed\_node\_grp3](#input\_managed\_node\_grp3) | Ref. https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest/submodules/eks-managed-node-group | `any` | `null` | no | +| [monitor\_lambda\_datadog](#input\_monitor\_lambda\_datadog) | Whether to monitor the Lambda with Datadog | `bool` | `false` | no | | [nat\_gateway\_public\_ip](#input\_nat\_gateway\_public\_ip) | Public IP of the NAT gateway when reusing the NAT gateway instead of recreating | `string` | `""` | no | -| [private\_subnet\_tags](#input\_private\_subnet\_tags) | The extra tags to be applied to the private subnets | `map(any)` | `{}` | no | +| [peer\_region](#input\_peer\_region) | The region of the peer VPC | `string` | `""` | no | +| [peer\_vpc\_additional\_whitelisted\_ingress\_cidrs](#input\_peer\_vpc\_additional\_whitelisted\_ingress\_cidrs) | List of CIDRs that can pass through the load balancer | `set(string)` | `[]` | no | +| [peer\_vpc\_cidr\_block](#input\_peer\_vpc\_cidr\_block) | The CIDR block of the peer VPC | `string` | `""` | no | +| [peer\_vpc\_id](#input\_peer\_vpc\_id) | The VPC ID to peer with | `string` | `""` | no | +| [peer\_vpc\_owner\_id](#input\_peer\_vpc\_owner\_id) | The AWS account ID of the owner of the peer VPC | `string` | `""` | no | +| [private\_subnet\_index](#input\_private\_subnet\_index) | Index of the private subnet | `number` | `0` | no | +| [private\_subnet\_tags](#input\_private\_subnet\_tags) | The extra tags to be applied to the private subnets | `map(any)` | 
{
  "Tier": "private"
}
| no | | [propagate\_intra\_route\_tables\_vgw](#input\_propagate\_intra\_route\_tables\_vgw) | If intra subnets should propagate traffic. | `bool` | `false` | no | | [propagate\_private\_route\_tables\_vgw](#input\_propagate\_private\_route\_tables\_vgw) | If private subnets should propagate traffic. | `bool` | `false` | no | | [propagate\_public\_route\_tables\_vgw](#input\_propagate\_public\_route\_tables\_vgw) | If public subnets should propagate traffic. | `bool` | `false` | no | | [provider\_azs](#input\_provider\_azs) | List of availability zones to consider. If empty, the modules will determine this dynamically. | `list(string)` | `[]` | no | | [provider\_region](#input\_provider\_region) | The AWS region in which the infrastructure should be deployed | `string` | n/a | yes | -| [public\_subnet\_tags](#input\_public\_subnet\_tags) | The extra tags to be applied to the public subnets | `map(any)` | `{}` | no | +| [public\_subnet\_index](#input\_public\_subnet\_index) | Index of the public subnet | `number` | `0` | no | +| [public\_subnet\_tags](#input\_public\_subnet\_tags) | The extra tags to be applied to the public subnets | `map(any)` | 
{
  "Tier": "public"
}
| no | | [rds\_allocated\_storage](#input\_rds\_allocated\_storage) | The size of RDS allocated storage in GB | `number` | `20` | no | +| [rds\_auto\_minor\_version\_upgrade](#input\_rds\_auto\_minor\_version\_upgrade) | Sets a flag to upgrade automatically all minor versions | `bool` | `false` | no | +| [rds\_backup\_window](#input\_rds\_backup\_window) | RDS backup window | `string` | `"03:00-06:00"` | no | | [rds\_backups\_replication\_retention\_period](#input\_rds\_backups\_replication\_retention\_period) | RDS backup replication retention period | `number` | `14` | no | | [rds\_backups\_replication\_target\_region](#input\_rds\_backups\_replication\_target\_region) | RDS backup replication target region | `string` | `null` | no | +| [rds\_copy\_tags\_to\_snapshot](#input\_rds\_copy\_tags\_to\_snapshot) | To copy tags to snapshot or not | `bool` | `false` | no | | [rds\_extra\_tags](#input\_rds\_extra\_tags) | The extra tags to be applied to the RDS instance | `map(any)` | `{}` | no | -| [rds\_instance](#input\_rds\_instance) | EC2 insance type for PostgreSQL RDS database.
Available instance groups: t3, m4, m5.
Available instance classes: medium and higher. | `string` | `"db.t3.medium"` | no | +| [rds\_identifier](#input\_rds\_identifier) | Name of the RDS instance | `string` | `""` | no | +| [rds\_instance](#input\_rds\_instance) | EC2 insance type for PostgreSQL RDS database.
Available instance groups: t3, m4, m5, r6i, m6i
Available instance classes: medium and higher. | `string` | `"db.t3.medium"` | no | | [rds\_kms\_key\_alias](#input\_rds\_kms\_key\_alias) | RDS KMS key alias. | `string` | `"datafold-rds"` | no | +| [rds\_maintenance\_window](#input\_rds\_maintenance\_window) | RDS maintenance window | `string` | `"Mon:00:00-Mon:03:00"` | no | | [rds\_max\_allocated\_storage](#input\_rds\_max\_allocated\_storage) | The upper limit the database can grow in GB | `number` | `100` | no | +| [rds\_monitoring\_interval](#input\_rds\_monitoring\_interval) | RDS monitoring interval | `number` | `0` | no | +| [rds\_monitoring\_role\_arn](#input\_rds\_monitoring\_role\_arn) | The IAM role allowed to send RDS metrics to cloudwatch | `string` | `null` | no | +| [rds\_multi\_az](#input\_rds\_multi\_az) | RDS instance in multiple AZ's | `bool` | `false` | no | | [rds\_param\_group\_family](#input\_rds\_param\_group\_family) | The DB parameter group family to use | `string` | `"postgres15"` | no | -| [rds\_port](#input\_rds\_port) | Port the RDS database should be listening on. | `number` | `5432` | no | +| [rds\_password\_override](#input\_rds\_password\_override) | Password override | `string` | `null` | no | +| [rds\_performance\_insights\_enabled](#input\_rds\_performance\_insights\_enabled) | RDS performance insights enabled or not | `bool` | `false` | no | +| [rds\_performance\_insights\_retention\_period](#input\_rds\_performance\_insights\_retention\_period) | RDS performance insights retention period | `number` | `7` | no | +| [rds\_port](#input\_rds\_port) | The port the RDS database should be listening on. | `number` | `5432` | no | | [rds\_ro\_username](#input\_rds\_ro\_username) | RDS read-only user name (not currently used). | `string` | `"datafold_ro"` | no | | [rds\_username](#input\_rds\_username) | Overrides the default RDS user name that is provisioned. | `string` | `"datafold"` | no | | [rds\_version](#input\_rds\_version) | Postgres RDS version to use. | `string` | `"15.5"` | no | -| [redis\_data\_size](#input\_redis\_data\_size) | Redis EBS volume size in GB | `number` | `10` | no | +| [redis\_data\_size](#input\_redis\_data\_size) | Redis EBS volume size in GB | `number` | `50` | no | +| [redis\_ebs\_iops](#input\_redis\_ebs\_iops) | IOPS of EBS redis volume | `number` | `3000` | no | +| [redis\_ebs\_throughput](#input\_redis\_ebs\_throughput) | Throughput of EBS redis volume | `number` | `125` | no | +| [s3\_backup\_bucket\_name\_override](#input\_s3\_backup\_bucket\_name\_override) | Bucket name override. | `string` | `""` | no | | [s3\_clickhouse\_backup\_tags](#input\_s3\_clickhouse\_backup\_tags) | The extra tags to be applied to the S3 clickhouse backup bucket | `map(any)` | `{}` | no | -| [self\_managed\_node\_grp](#input\_self\_managed\_node\_grp) | Ref. https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest/submodules/self-managed-node-group | `any` | `{}` | no | -| [self\_managed\_node\_grp\_default](#input\_self\_managed\_node\_grp\_default) | Configuration for the self managed node group | `any` | `{}` | no | | [self\_managed\_node\_grp\_instance\_type](#input\_self\_managed\_node\_grp\_instance\_type) | Ref. https://github.com/awslabs/amazon-eks-ami/blob/master/files/eni-max-pods.txt | `string` | `"THe instance type for the self managed node group."` | no | +| [self\_managed\_node\_grps](#input\_self\_managed\_node\_grps) | Ref. https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest/submodules/self-managed-node-group | `any` | `{}` | no | +| [service\_account\_prefix](#input\_service\_account\_prefix) | Prefix for service account names to match Helm chart naming (e.g., 'datafold-' for 'datafold-server', or '' for no prefix) | `string` | `"datafold-"` | no | | [sg\_tags](#input\_sg\_tags) | The extra tags to be applied to the security group | `map(any)` | `{}` | no | | [tags](#input\_tags) | Tags to apply to the general module | `any` | `{}` | no | | [use\_default\_rds\_kms\_key](#input\_use\_default\_rds\_kms\_key) | Flag weither or not to use the default RDS KMS encryption key. Not recommended. | `bool` | `false` | no | | [vpc\_cidr](#input\_vpc\_cidr) | The CIDR of the new VPC, if the vpc\_cidr is not set | `string` | `"10.0.0.0/16"` | no | +| [vpc\_exclude\_az\_ids](#input\_vpc\_exclude\_az\_ids) | AZ IDs to exclude from availability zones | `list(string)` | `[]` | no | | [vpc\_id](#input\_vpc\_id) | The VPC ID of an existing VPC to deploy the cluster in. Creates a new VPC if not set. | `string` | `""` | no | -| [vpc\_private\_subnets](#input\_vpc\_private\_subnets) | The private subnet CIDR ranges when a new VPC is created. | `list(string)` | 
[
  "10.0.0.0/24",
  "10.0.1.0/24"
]
| no | +| [vpc\_private\_subnets](#input\_vpc\_private\_subnets) | The private subnet CIDR ranges when a new VPC is created. | `list(string)` | 
[
  "10.0.0.0/24",
  "10.0.1.0/24"
]
| no | | [vpc\_propagating\_vgws](#input\_vpc\_propagating\_vgws) | ID's of virtual private gateways to propagate. | `list(any)` | `[]` | no | -| [vpc\_public\_subnets](#input\_vpc\_public\_subnets) | The public network CIDR ranges | `list(string)` | 
[
  "10.0.100.0/24",
  "10.0.101.0/24"
]
| no | +| [vpc\_public\_subnets](#input\_vpc\_public\_subnets) | The public network CIDR ranges | `list(string)` | 
[
  "10.0.100.0/24",
  "10.0.101.0/24"
]
| no | | [vpc\_tags](#input\_vpc\_tags) | The extra tags to be applied to the VPC | `map(any)` | `{}` | no | | [vpc\_vpn\_gateway\_id](#input\_vpc\_vpn\_gateway\_id) | ID of the VPN gateway to attach to the VPC | `string` | `""` | no | +| [vpce\_details](#input\_vpce\_details) | Endpoint names to define with security group rule definitions | 
map(object({
    vpces_service_name  = string
    subnet_ids          = optional(list(string), [])
    private_dns_enabled = optional(bool, true)

    input_rules        = list(object({
       description = string
       from_port   = number
       to_port     = number
       protocol    = string
       cidr_blocks = string
    }))
    output_rules = list(object({
       description = string
       from_port   = number
       to_port     = number
       protocol    = string
       cidr_blocks = string
    }))
  }))
| `{}` | no | +| [vpn\_cidr](#input\_vpn\_cidr) | CIDR range for administrative access | `string` | `""` | no | | [whitelisted\_egress\_cidrs](#input\_whitelisted\_egress\_cidrs) | List of Internet addresses the application can access going outside | `list(string)` | n/a | yes | | [whitelisted\_ingress\_cidrs](#input\_whitelisted\_ingress\_cidrs) | List of CIDRs that can pass through the load balancer | `list(string)` | n/a | yes | @@ -337,7 +387,7 @@ https://docs.datafold.com/datafold-deployment/dedicated-cloud/aws | Name | Description | |------|-------------| -| [clickhouse\_access\_key](#output\_clickhouse\_access\_key) | The access key of the IAM user doing the clickhouse backups. | +| [clickhouse\_backup\_role\_name](#output\_clickhouse\_backup\_role\_name) | The name of the role for clickhouse backups | | [clickhouse\_data\_size](#output\_clickhouse\_data\_size) | The size in GB of the clickhouse EBS data volume | | [clickhouse\_data\_volume\_id](#output\_clickhouse\_data\_volume\_id) | The EBS volume ID where clickhouse data will be stored. | | [clickhouse\_logs\_size](#output\_clickhouse\_logs\_size) | The size in GB of the clickhouse EBS logs volume | @@ -345,27 +395,57 @@ https://docs.datafold.com/datafold-deployment/dedicated-cloud/aws | [clickhouse\_password](#output\_clickhouse\_password) | The generated clickhouse password to be used in the application deployment | | [clickhouse\_s3\_bucket](#output\_clickhouse\_s3\_bucket) | The location of the S3 bucket where clickhouse backups are stored | | [clickhouse\_s3\_region](#output\_clickhouse\_s3\_region) | The region where the S3 bucket is created | -| [clickhouse\_secret\_key](#output\_clickhouse\_secret\_key) | The secret key of the IAM user doing the clickhouse backups. | | [cloud\_provider](#output\_cloud\_provider) | A string describing the type of cloud provider to be passed onto the helm charts | +| [cluster\_endpoint](#output\_cluster\_endpoint) | The URL to the EKS cluster endpoint | | [cluster\_name](#output\_cluster\_name) | The name of the EKS cluster | | [cluster\_scaler\_role\_arn](#output\_cluster\_scaler\_role\_arn) | The ARN of the role that is able to scale the EKS cluster nodes. | | [db\_instance\_id](#output\_db\_instance\_id) | The ID of the RDS database instance | | [deployment\_name](#output\_deployment\_name) | The name of the deployment | +| [dfshell\_role\_arn](#output\_dfshell\_role\_arn) | The ARN of the AWS Bedrock role | +| [dfshell\_service\_account\_name](#output\_dfshell\_service\_account\_name) | The name of the service account for dfshell | +| [dma\_role\_arn](#output\_dma\_role\_arn) | The ARN of the AWS Bedrock role | +| [dma\_service\_account\_name](#output\_dma\_service\_account\_name) | The name of the service account for dma | | [domain\_name](#output\_domain\_name) | The domain name to be used in DNS configuration | +| [github\_reverse\_proxy\_url](#output\_github\_reverse\_proxy\_url) | The URL of the API Gateway that acts as a reverse proxy to the GitHub API | | [k8s\_load\_balancer\_controller\_role\_arn](#output\_k8s\_load\_balancer\_controller\_role\_arn) | The ARN of the role provisioned so the k8s cluster can edit the target group through the AWS load balancer controller. | | [lb\_name](#output\_lb\_name) | The name of the external load balancer | | [load\_balancer\_ips](#output\_load\_balancer\_ips) | The load balancer IP when it was provisioned. | +| [operator\_role\_arn](#output\_operator\_role\_arn) | The ARN of the AWS Bedrock role | +| [operator\_service\_account\_name](#output\_operator\_service\_account\_name) | The name of the service account for operator | | [postgres\_database\_name](#output\_postgres\_database\_name) | The name of the pre-provisioned database. | | [postgres\_host](#output\_postgres\_host) | The DNS name for the postgres database | | [postgres\_password](#output\_postgres\_password) | The generated postgres password to be used by the application | | [postgres\_port](#output\_postgres\_port) | The port configured for the RDS database | | [postgres\_username](#output\_postgres\_username) | The postgres username to be used by the application | +| [private\_access\_vpces\_name](#output\_private\_access\_vpces\_name) | Name of the VPCE service that allows private access to the cluster endpoint | | [redis\_data\_size](#output\_redis\_data\_size) | The size in GB of the Redis data volume. | | [redis\_data\_volume\_id](#output\_redis\_data\_volume\_id) | The EBS volume ID of the Redis data volume. | | [redis\_password](#output\_redis\_password) | The generated redis password to be used in the application deployment | +| [scheduler\_role\_arn](#output\_scheduler\_role\_arn) | The ARN of the AWS Bedrock role | +| [scheduler\_service\_account\_name](#output\_scheduler\_service\_account\_name) | The name of the service account for scheduler | | [security\_group\_id](#output\_security\_group\_id) | The security group ID managing ingress from the load balancer | +| [server\_role\_arn](#output\_server\_role\_arn) | The ARN of the AWS Bedrock role | +| [server\_service\_account\_name](#output\_server\_service\_account\_name) | The name of the service account for server | +| [storage\_worker\_role\_arn](#output\_storage\_worker\_role\_arn) | The ARN of the AWS Bedrock role | +| [storage\_worker\_service\_account\_name](#output\_storage\_worker\_service\_account\_name) | The name of the service account for storage\_worker | | [target\_group\_arn](#output\_target\_group\_arn) | The ARN to the target group where the pods need to be registered as targets. | | [vpc\_cidr](#output\_vpc\_cidr) | The CIDR of the entire VPC | +| [vpc\_id](#output\_vpc\_id) | The ID of the VPC | +| [vpces\_azs](#output\_vpces\_azs) | Set of availability zones where the VPCES is available. | +| [worker\_catalog\_role\_arn](#output\_worker\_catalog\_role\_arn) | The ARN of the AWS Bedrock role | +| [worker\_catalog\_service\_account\_name](#output\_worker\_catalog\_service\_account\_name) | The name of the service account for worker\_catalog | +| [worker\_interactive\_role\_arn](#output\_worker\_interactive\_role\_arn) | The ARN of the AWS Bedrock role | +| [worker\_interactive\_service\_account\_name](#output\_worker\_interactive\_service\_account\_name) | The name of the service account for worker\_interactive | +| [worker\_lineage\_role\_arn](#output\_worker\_lineage\_role\_arn) | The ARN of the AWS Bedrock role | +| [worker\_lineage\_service\_account\_name](#output\_worker\_lineage\_service\_account\_name) | The name of the service account for worker\_lineage | +| [worker\_monitor\_role\_arn](#output\_worker\_monitor\_role\_arn) | The ARN of the AWS Bedrock role | +| [worker\_monitor\_service\_account\_name](#output\_worker\_monitor\_service\_account\_name) | The name of the service account for worker\_monitor | +| [worker\_portal\_role\_arn](#output\_worker\_portal\_role\_arn) | The ARN of the AWS Bedrock role | +| [worker\_portal\_service\_account\_name](#output\_worker\_portal\_service\_account\_name) | The name of the service account for worker\_portal | +| [worker\_role\_arn](#output\_worker\_role\_arn) | The ARN of the AWS Bedrock role | +| [worker\_service\_account\_name](#output\_worker\_service\_account\_name) | The name of the service account for worker | +| [worker\_singletons\_role\_arn](#output\_worker\_singletons\_role\_arn) | The ARN of the AWS Bedrock role | +| [worker\_singletons\_service\_account\_name](#output\_worker\_singletons\_service\_account\_name) | The name of the service account for worker\_singletons | diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf index 919ee09..2c4cbc5 100644 --- a/modules/eks/outputs.tf +++ b/modules/eks/outputs.tf @@ -24,7 +24,7 @@ output "dfshell_role_arn" { description = "The ARN of the AWS Bedrock role" } output "dfshell_service_account_name" { - value = var.dfshell_service_account_name + value = local.dfshell_service_account_name description = "The name of the service account for dfshell" } @@ -34,7 +34,7 @@ output "worker_portal_role_arn" { description = "The ARN of the AWS Bedrock role" } output "worker_portal_service_account_name" { - value = var.worker_portal_service_account_name + value = local.worker_portal_service_account_name description = "The name of the service account for worker_portal" } @@ -44,7 +44,7 @@ output "operator_role_arn" { description = "The ARN of the AWS Bedrock role" } output "operator_service_account_name" { - value = var.operator_service_account_name + value = local.operator_service_account_name description = "The name of the service account for operator" } @@ -54,7 +54,7 @@ output "server_role_arn" { description = "The ARN of the AWS Bedrock role" } output "server_service_account_name" { - value = var.server_service_account_name + value = local.server_service_account_name description = "The name of the service account for server" } @@ -64,7 +64,7 @@ output "scheduler_role_arn" { description = "The ARN of the AWS Bedrock role" } output "scheduler_service_account_name" { - value = var.scheduler_service_account_name + value = local.scheduler_service_account_name description = "The name of the service account for scheduler" } @@ -74,7 +74,7 @@ output "worker_role_arn" { description = "The ARN of the AWS Bedrock role" } output "worker_service_account_name" { - value = var.worker_service_account_name + value = local.worker_service_account_name description = "The name of the service account for worker" } @@ -84,7 +84,7 @@ output "worker_catalog_role_arn" { description = "The ARN of the AWS Bedrock role" } output "worker_catalog_service_account_name" { - value = var.worker_catalog_service_account_name + value = local.worker_catalog_service_account_name description = "The name of the service account for worker_catalog" } @@ -94,7 +94,7 @@ output "worker_interactive_role_arn" { description = "The ARN of the AWS Bedrock role" } output "worker_interactive_service_account_name" { - value = var.worker_interactive_service_account_name + value = local.worker_interactive_service_account_name description = "The name of the service account for worker_interactive" } @@ -104,7 +104,7 @@ output "worker_singletons_role_arn" { description = "The ARN of the AWS Bedrock role" } output "worker_singletons_service_account_name" { - value = var.worker_singletons_service_account_name + value = local.worker_singletons_service_account_name description = "The name of the service account for worker_singletons" } @@ -114,7 +114,7 @@ output "worker_lineage_role_arn" { description = "The ARN of the AWS Bedrock role" } output "worker_lineage_service_account_name" { - value = var.worker_lineage_service_account_name + value = local.worker_lineage_service_account_name description = "The name of the service account for worker_lineage" } @@ -124,7 +124,7 @@ output "worker_monitor_role_arn" { description = "The ARN of the AWS Bedrock role" } output "worker_monitor_service_account_name" { - value = var.worker_monitor_service_account_name + value = local.worker_monitor_service_account_name description = "The name of the service account for worker_monitor" } @@ -134,7 +134,7 @@ output "storage_worker_role_arn" { description = "The ARN of the AWS Bedrock role" } output "storage_worker_service_account_name" { - value = var.storage_worker_service_account_name + value = local.storage_worker_service_account_name description = "The name of the service account for storage_worker" } @@ -144,7 +144,7 @@ output "dma_role_arn" { description = "The ARN of the AWS Bedrock role" } output "dma_service_account_name" { - value = var.dma_service_account_name + value = local.dma_service_account_name description = "The name of the service account for dma" } diff --git a/modules/eks/roles.tf b/modules/eks/roles.tf index ee80600..df7f894 100644 --- a/modules/eks/roles.tf +++ b/modules/eks/roles.tf @@ -1,3 +1,21 @@ +# Locals for service account names (with prefix) +locals { + dfshell_service_account_name = "${var.service_account_prefix}${var.dfshell_service_account_name}" + worker_portal_service_account_name = "${var.service_account_prefix}${var.worker_portal_service_account_name}" + operator_service_account_name = "${var.service_account_prefix}${var.operator_service_account_name}" + server_service_account_name = "${var.service_account_prefix}${var.server_service_account_name}" + scheduler_service_account_name = "${var.service_account_prefix}${var.scheduler_service_account_name}" + worker_service_account_name = "${var.service_account_prefix}${var.worker_service_account_name}" + worker_catalog_service_account_name = "${var.service_account_prefix}${var.worker_catalog_service_account_name}" + worker_interactive_service_account_name = "${var.service_account_prefix}${var.worker_interactive_service_account_name}" + worker_singletons_service_account_name = "${var.service_account_prefix}${var.worker_singletons_service_account_name}" + worker_lineage_service_account_name = "${var.service_account_prefix}${var.worker_lineage_service_account_name}" + worker_monitor_service_account_name = "${var.service_account_prefix}${var.worker_monitor_service_account_name}" + storage_worker_service_account_name = "${var.service_account_prefix}${var.storage_worker_service_account_name}" + dma_service_account_name = "${var.service_account_prefix}${var.dma_service_account_name}" + clickhouse_backup_service_account_name = "${var.service_account_prefix}${var.clickhouse_backup_service_account_name}" +} + # Policies resource "aws_iam_policy" "bedrock_access_policy" { @@ -73,7 +91,7 @@ module "dfshell_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.dfshell_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.dfshell_service_account_name}"] } } } @@ -89,7 +107,7 @@ module "worker_portal_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_portal_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.worker_portal_service_account_name}"] } } } @@ -105,7 +123,7 @@ module "operator_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.operator_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.operator_service_account_name}"] } } } @@ -121,7 +139,7 @@ module "server_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.server_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.server_service_account_name}"] } } } @@ -137,7 +155,7 @@ module "scheduler_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.scheduler_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.scheduler_service_account_name}"] } } } @@ -153,7 +171,7 @@ module "worker_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.worker_service_account_name}"] } } } @@ -169,7 +187,7 @@ module "worker_catalog_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_catalog_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.worker_catalog_service_account_name}"] } } } @@ -185,7 +203,7 @@ module "worker_interactive_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_interactive_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.worker_interactive_service_account_name}"] } } } @@ -201,7 +219,7 @@ module "worker_singletons_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_singletons_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.worker_singletons_service_account_name}"] } } } @@ -217,7 +235,7 @@ module "worker_lineage_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_lineage_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.worker_lineage_service_account_name}"] } } } @@ -233,7 +251,7 @@ module "worker_monitor_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_monitor_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.worker_monitor_service_account_name}"] } } } @@ -249,7 +267,7 @@ module "storage_worker_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.storage_worker_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.storage_worker_service_account_name}"] } } } @@ -263,7 +281,7 @@ module "clickhouse_backup_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.clickhouse_backup_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.clickhouse_backup_service_account_name}"] } } } @@ -279,7 +297,7 @@ module "dma_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.dma_service_account_name}"] + namespace_service_accounts = ["${var.deployment_name}:${local.dma_service_account_name}"] } } } diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index 5729198..1829c29 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -109,7 +109,7 @@ variable "sg_tags" { variable "service_account_prefix" { type = string - default = "datafold-" + default = "" description = "Prefix for service account names (e.g., 'datafold-' for 'datafold-server', or '' for no prefix)" }